Satori: Botnet Sees Ethereum Miner

The masterminds of the botnet make good use of the computing power of their victims.

(Photo: Dwarfpool / Fabian A. Scherschel)

A new version of the Satori botnet, a successor to Mirai, steals the revenues of the operators on mining machines. The malicious code probably abuses weak spots in the software Claymore.

Satori, the successor to the infamous IoT botnet Mirai, has recently turned its attention to computers that mine cryptocurrencies. New are attacks on mining rigs for the currency Ethereum. This is the first time that online criminals have targeted Ethereum on a large scale.
The botnet has been abusing a vulnerability in the Claymore mining software since January 8th. This is used by users in mining pools to mine the cryptocurrencies Ethereum and Decred. The malicious code swaps the wallet address of the victims without further ado, resulting in the computers digging unnoticed for the mastermind of the botnet. Thus, the attackers have earned just over 2 ETH (currently just under 1800 euros). It is estimated that the attackers have up to one hundred computers under their control.
Go on, there is nothing to see here. The attacks were noticed by security researchers of the Chinese company Netlab 360. They assume that the botnet malicious code is a new version of the already well-known Satori malware. The vulnerability in Claymore is exactly exploited to put the mining systems in the botnet, the researchers said. Several holes in the software would theoretically be in question.
Funnily enough, the "developer" of the malicious code thinks its software is doing "no evil" and has left an e-mail address under which it should be contactable.
"Satori dev here, dont be alarmed about this bot it does not currently have any malicious packing purposes move along."
His statement is obviously incorrect because the software redirects the proceeds to other wallets; Apart from the fact that she evidently nestles on the systems without being asked.